We are Coles Group with registered number 460627257 and address Coles Group 76 King Street Maidstone Kent ME14 1BH. Our Data Protection Lead can be contacted at firstname.lastname@example.org. We have produced this privacy notice in order to keep you informed of how we handle your personal data. All handling of your personal data is done in compliance with the UK Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 ("Data Protection Legislation"). The terms "Personal Data", "Special Categories of Personal Data", "Personal Data Breach", "Data Protection Officer", "Data Controller", "Data Processor", "Data Subject" and "process" (in the context of usage of Personal Data) shall have the meanings given to them in the Data Protection Legislation. "Data Protection Lead" is the title given to the member of staff leading our data protection compliance programme in lieu of a requirement for a Data Protection Officer.
When reading this notice, it might be helpful to understand that your rights arising under Data Protection Legislation include:
You can exercise your right to access personal data held about you by contacting email@example.com with the subject line: "Subject Access Request". When you submit a 'subject access request', you will need to provide confirmation of your identity by including a photocopy of your driver’s license or passport. This service is provided free of charge and our response will be made within thirty (30) days, unless our Data Protection Lead deems your request as being excessive or unfounded. If this is the case, we will inform you of our reasonable administration costs in advance and/or any associated delays, giving you the opportunity to choose whether you would like to pursue your request. If you believe we have made a mistake in evaluating your request, please see the section 'Who can you complain to?'.
If you have questions about any of the rights mentioned in this section, please contact our Data Protection Lead at firstname.lastname@example.org.
Under Data Protection Legislation, there must be a ‘lawful basis’ for the use of personal data. The lawful bases are :
Legitimate interests are a flexible basis upon which the law permits the processing of an individual's personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. This balancing is performed as objectively as possible by our Data Protection Lead. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes billing address, delivery address, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website, products and services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
|Reference||What categories of information about you do we process?||Why are we processing your data?||Where did we get your personal data from?|
||Direct marketing to former, current and prospective clients. This processing is conducted lawfully on the basis of 'our legitimate interests'.||Directly obtained or by referral from existing clients/partners/suppliers.|
||To understand how you use our website, how you reached us and how long you spend on our website, in order to analyse our performance and improve our service. This processing is conducted lawfully on the basis of 'our legitimate interests'.||Directly obtained or indirectly obtained through a client's website (notice given at the point of collection).|
||To combat fraud, we share information of clients who instruct the payment issuer to cancel payments to us without first informing us of why and/or allowing us the opportunity to issue a refund with credit reference agencies. This processing is conducted lawfully on the basis of 'protection of your, or another's vital interests'.||Directly obtained or indirectly obtained through a client's website (notice given at the point of collection).|
||When you send us information about you by posting on a forum or blog, we will store this information in order to make it available for viewing on the website. You consent is obtained at the time of posting and via reference to this notice. This processing is conducted lawfully on the basis of 'your consent'.||Directly obtained or indirectly obtained through a client's website (notice given at the point of collection).|
||To setup a direct debit between your bank and ours, we pass your details to our bank and keep a copy for our records. This activity is conducted under the Direct Debit Guarantee Scheme. This processing is conducted lawfully on the basis of 'performance of a contract'.||Directly obtained.|
||We might record calls for training and/or auditing purposes. We also collect Calling Line Identification information. This is used to help improve the efficiency and accountability of our customer services. This processing is conducted lawfully on the basis of 'our legitimate interests'.||Directly obtained.|
|Email and Web Contact||
||If you contact us through our website or by email, we will use the information you send in order to respond to your enquiry or complaint. This information will be kept in order to improve our service to you overall. This processing is conducted lawfully on the basis of 'our legitimate interests'.||Directly obtained or indirectly obtained through our website (notice given at the point of collection).|
||If you make a purchase with us, we will add your contact information to our marketing list and send you information we think you might be interested in. This processing is conducted lawfully on the basis of 'our legitimate interests'.||Directly obtained.|
Cookies are small text files that are placed on your computer's hard drive through your web browser when you visit any web site. They are widely used to make web sites work, or work more efficiently, as well as to provide information to the owners of the site.
Like all other users of cookies, we may request the return of information from your computer when your browser requests a web page from our server. Cookies enable our web server to identify you to us, and to track your actions and the pages you visit while you use our website. The cookies we use may last for a single visit to our site (they are deleted from your computer when you close your browser), or may remain on your computer until you delete them or until a defined period of time has passed.
The information about you that we have collected for the performance of our contracts is required in order for us to successfully fulfil our obligations to you. If you choose not to provide the personal data requested, we will not be able to enter into a contract with you to provide the benefits we offer. If we are already processing your personal information under a contract, you must end our contractual relationship (as/where permitted) in order to exercise some of your rights.
We process some personal information as part of a contractual relationship with a Data Controller. Any requests to restrict this type of processing should be forwarded to the Data Controller; they will be responsible for discussing your concerns and making any decisions.
Legitimate interests are a flexible basis upon which the law permits the processing of an individual’s personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. This balancing is performed as objectively as possible by our Data Protection Lead. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest. If you would like to find out more about our legitimate interests, please contact email@example.com.
Coles Group does not perform any profiling or automated decision making based on your personal data.
Coles Group holds different categories of personal data for different periods of time. Wherever possible, we will endeavour to minimise the amount of personal data that we hold and the length of time for which it is held.
Coles Group passes your data to the third parties listed in the section ‘Third Party Interests’ below, for the purposes of providing our services to you, and for no other purpose.
Coles Group uses overseas web and IT providers. Details of what data is sent where, and the safeguards in place, are included in the section ‘Third Party Processors’ below.
|Name of Third Party Controller||What processing are we performing for them?||If applicable - who is their representative within the EU?|
|HMRC, regulatory authorities or other authorities||We are joint Controller with these authorities who require reporting of processing in some situations||N/A|
|Postal/Courier Providers||Where these providers act as Data Controller, we are joint Controller with them for the purposes of sending you physical documents.||N/A|
Our Data Processors
|Name of Third Party Processor||Purposes for Carrying out Processing|
|Maidstone County Court|
|Maidstone Borough Council|
|The Property Software Group|
|Tenancy Deposit Scheme|
|On The Market|
In addition to sending us your complaints directly to firstname.lastname@example.org, you can send complaints to our supervisory authority. As Coles Group predominantly handles the personal data of UK nationals, our supervisory authority is the Information Commissioner’s Office. If you believe that we have failed in our compliance with data protection legislation, complaints to this authority can be made by visiting ico.org.uk.